How to exclude information in the definition of scope?
We have purchased your „ISO 27001 Power Toolkit" and would need support. We, ***, offer our customers a SaaS solution. We are currently preparing for TISAX certification and are in the process of setting up the ISMS. TISAX is largely based on ISO 27001.
Here is my question about the scope to be determined:
Our headquarters are in the *** with branches in various countries among others in ***. Only the branch based in *** should be certified and defined in the scope. The design and maintenance of the IaaS and SaaS is specified and executed by the *** headquarters, Therefore we want to treat this area (hosting) and thus its service lines as a supplier. The problem is that employees in our IT department in the *** branch take on maintenance and administrative tasks for the EMEA area of hosting. How can this be excluded in the definition of the scope?
Assign topic to the user
I assume your question is how to exclude maintenance and administrative tasks for the EMEA area of hosting from your scope.
First you have to consider if this exclusion is feasible or not - if the people who work on mentioned tasks within your branch cannot be logically and/or physically separated from the rest of your branch office, then it would be better if they remain in the scope.
If it is feasible to exclude the activities you mentioned from the scope, then you have to define in your ISMS Scope document which activities are, and which are not included in your scope. Together with the toolkit you purchased you have the access to the video tutorial that explains how to fill out the ISMS Scope document.
These materials will also help you with the scope definition:
- article Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Dec 21, 2020